Term
|
Definition
| are controls that are present in the environment surrounding the information system. |
|
|
Term
|
Definition
| consists of separating the four basic functions of event processing: authorizing events, executing events, recording events, and safeguarding resources resulting from consummating events. |
|
|
Term
| Segregation of Duties Why? |
|
Definition
| to detect erroneous record keeping and limit the ability of a single employee to commit and conceal frauds, errors, or other kinds of system failures. |
|
|
Term
| Segregation of Duties What? |
|
Definition
| Custody, Authorization, and record keeping. (No one person should initiate the transaction, approve the transaction, record the transaction, reconcile balances, handle assets, or review reports). |
|
|
Term
| Segregation of Duties Also? |
|
Definition
| Should have a separate information system function with segregation with the ISF so that no one person has access to the computer, its programs, or live data. |
|
|
Term
|
Definition
| convert data into machine readable form and run the equipment. |
|
|
Term
|
Definition
| develop, write, and debug programs. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| controls access to data, programs, and documentation to reduce unauthorized program changes and computer operations. |
|
|
Term
|
Definition
| is a plan or process put in place to guide actions and thus achieve goals. |
|
|
Term
| Program Change Controls Why? |
|
Definition
| to ensure software development and software changes are appropriate and meet established objectives. |
|
|
Term
| Program Change Controls What? |
|
Definition
| a process to ensure that program development and program changes are properly authorized, tested, reviewed, and approved before implementation. |
|
|
Term
| Program Change Controls Also? |
|
Definition
| There should be separate development, test, and production environments to avoid program changes affecting live production. User acceptance testing should be conducted to help ensure new programs and changes to existing programs are acceptable and meet user expectations and are more thoroughly tested. Developers should not be allowed to move new or modified programs from the test environment to the production environment potentially escaping a complete review process. |
|
|
Term
|
Definition
| To ensure an adequate supply of competent and honest employees. |
|
|
Term
|
Definition
| Hire good people, develop them and invest in them, and keep them happy; supervise them; properly let them go when necessary. |
|
|
Term
|
Definition
| Background Checks, aptitude assessment, attitude and integrity evaluation. |
|
|
Term
|
Definition
| Challenging assignments, identified career paths, competitive salary and rewards. |
|
|
Term
|
Definition
| Training and education, performance evaluations. |
|
|
Term
|
Definition
| Forecasting turnover and labor needs, skill banks. |
|
|
Term
|
Definition
| Job rotation, required vacations, fidelity bonding. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| Proper handling of terminations and reassignments to other areas. |
|
|
Term
|
Definition
| To ensure that organizational data/information and related data/information resources are not subject to unauthorized use, disclosure, modification, damage, or loss. |
|
|
Term
|
Definition
| Physically restrict people from getting close to the resources and keep them from having inappropriate access to the system. |
|
|
Term
|
Definition
| locks, guards, fences, badges, visitor logs. |
|
|
Term
|
Definition
| passwords, firewalls, encryption. |
|
|
Term
|
Definition
|
|
Term
|
Definition
| prove you are who you say you are. |
|
|
Term
|
Definition
| what actions can you and can you not take. |
|
|
Term
|
Definition
| log and look for unusual system activity. |
|
|
Term
| Disaster Recovery and Backup Why? |
|
Definition
| When some disaster occurs, I want to be back up and running as quickly as possible. |
|
|
Term
| Disaster Recovery and Backup What? |
|
Definition
| I need to consider every component of my system and identify what could happen in the event of a disaster and prepare for such occurrences. |
|
|
Term
| Disaster Recovery and Backup Also? |
|
Definition
| Planning, documenting, training, and testing of my disaster recovery plan. Identify key functions/activities and assign responsibility for each function/activity. Backups such as hardware, software, telecommunications, data, people. Other such as personnel issues. |
|
|
Term
|
Definition
| ensuring that files are used for their intended purpose, cannot be altered unless warranted and are updated completely and correctly in a shared environment. |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| allows tracing a transaction from its origin to its destination in accounting reports and vice versa; a record of system activity by system and application processes and by user activity of systems and applications. |
|
|
Term
|
Definition
| relating different sets of data to one another to identify and investigate differences and take corrective action when needed. |
|
|
Term
|
Definition
| physical inventory counts and accounts receivable confirmations. |
|
|
Term
| Variance Analysis and Analytical Review |
|
Definition
| Investigating and Resolving differences and changes. |
|
|
Term
|
Definition
| Control Objectives for Information and Related Technology. developed by the IT Governance Institute to provide guidance to managers, users, and auditors on the best practices for the management of Information Technology. |
|
|
Term
|
Definition
| IT is aligned with the business. IT enables the business and maximizes benefits. IT resources are used responsibly. IT risks are managed appropriately. |
|
|
Term
|
Definition
| the policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that UNDESIRED events will be prevented or detected and corrected. |
|
|
Term
| COBIT's 4 Broad IT Control Process Domains |
|
Definition
| Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate. |
|
|
Term
|
Definition
| Establish strategic vision for IT. Develop tactics to plan, communicate, and manage realization of the strategic vision. |
|
|
Term
|
Definition
| Identify automated solutions. Develop and acquire IT solutions. Integrate IT solutions into operational processes. Manage changes to existing IT systems. |
|
|
Term
|
Definition
| Deliver required IT services. Ensure security and continuous service. Provide Support services. |
|
|
Term
|
Definition
| Monitor and evaluate the processes. |
|
|
